1 00:00:01,030 --> 00:00:08,680 Now that we've got Wireshark installed and we've got our adapter set back to the private host only network, 2 00:00:08,680 --> 00:00:14,650 the box net zero, and we've turned that Ethernet adapter, that network adapter to promiscuous mode 3 00:00:14,670 --> 00:00:20,320 and advanced, we're ready to let's go and shut down Wireshark if you still have it running since we 4 00:00:20,320 --> 00:00:21,220 changed the interface. 5 00:00:21,220 --> 00:00:24,160 And let's start Wireshark back on that Windows 10 computer. 6 00:00:24,820 --> 00:00:26,160 Then we can go to capture. 7 00:00:26,680 --> 00:00:28,030 Come to options. 8 00:00:29,620 --> 00:00:34,810 And we'll just make sure that we're connected to that Internet and it's in promiscuous mode, that's 9 00:00:34,810 --> 00:00:36,700 going to be OK clothes. 10 00:00:37,240 --> 00:00:39,850 So we're ready to capture an wireshark now. 11 00:00:39,850 --> 00:00:45,280 We need to make sure that we have our utility Sorrow and Métis floatable to running. 12 00:00:45,280 --> 00:00:49,630 We're actually going to log into MUTILATOR, but we're going to try our Métis floatable to all you need 13 00:00:49,630 --> 00:00:51,490 to do is the if config. 14 00:00:52,520 --> 00:00:59,030 And that is it tendo 3:00 to 5:00 and we should be listening that Tenga three hosts only network, so 15 00:00:59,030 --> 00:01:02,210 10 that three to five for me, if yours is different, that's fine. 16 00:01:02,510 --> 00:01:06,860 Open your Windows seven box and we're going to open up a browser. 17 00:01:09,300 --> 00:01:13,860 And let's surf to 10 dot o dot three, dot five. 18 00:01:14,910 --> 00:01:20,190 We can see how Métis voidable box is up and running and manipulatable is going to be really useful when 19 00:01:20,190 --> 00:01:24,780 we do Web hacking, but we're going to demonstrate how we can capture a plaintext password if it's sent 20 00:01:24,780 --> 00:01:27,800 out over an unencrypted channel across a network. 21 00:01:28,140 --> 00:01:32,940 Anybody who's connected to the network that Windows 10 machine is completely separate from these other 22 00:01:32,940 --> 00:01:33,720 two computers. 23 00:01:33,720 --> 00:01:38,270 Anybody connected to your network can sniff your passwords if you send them unencrypted. 24 00:01:38,520 --> 00:01:39,780 So let's see that happen. 25 00:01:39,780 --> 00:01:41,810 First of all, come down to mutilator. 26 00:01:41,820 --> 00:01:50,010 A Utility is a terrific application for learning various Web exploits so you can try different types 27 00:01:50,010 --> 00:01:50,840 of attacks. 28 00:01:50,850 --> 00:01:55,410 It's an attackable platform mutilate utility born to be hacked. 29 00:01:55,800 --> 00:01:58,650 Let's go to the login register page. 30 00:01:58,650 --> 00:02:04,150 So we've logged in to wear on our Windows seven box, but we've actually logged in to our metastable 31 00:02:04,260 --> 00:02:12,750 server and we've clicked through the utility because it is a good log in register page so we can reset 32 00:02:12,750 --> 00:02:18,060 the DB That'll be handy for us as well and come back to log in register. 33 00:02:20,480 --> 00:02:26,780 I'm going to go ahead and start my log in, I'm not going to press log in, but I'll say Fred and my 34 00:02:26,780 --> 00:02:31,580 password is Wilma, you can log in to another service if you wanted to. 35 00:02:31,580 --> 00:02:35,440 You could log into anything that doesn't require an encrypted connection. 36 00:02:35,780 --> 00:02:42,230 The key to this is that if you ever log in into an HTP server, whether that's your WordPress server 37 00:02:42,230 --> 00:02:49,850 and you do your dash log in over HTP, or if you log in to your school's email, your work e-mail over 38 00:02:49,850 --> 00:02:57,440 an unsecure connection, your password is being sent over a huge network, just like the one we're about 39 00:02:57,440 --> 00:02:58,200 to see here. 40 00:02:58,220 --> 00:03:01,820 So this is a small network with just three computers running on it right now. 41 00:03:02,090 --> 00:03:09,020 But I've got my Windows seven computer ready to log in to this login page that is not secure on my Métis 42 00:03:09,020 --> 00:03:09,870 floatable server. 43 00:03:10,250 --> 00:03:11,380 Hold it right there. 44 00:03:11,720 --> 00:03:17,300 We're going to come over to Windows 10 that's running our Wireshark and we're going to start the packet 45 00:03:17,300 --> 00:03:18,980 capture press start. 46 00:03:19,340 --> 00:03:21,880 And now Windows 10 is going to be listening for packets. 47 00:03:21,920 --> 00:03:25,550 Let's send it a packet will log in with Fred and Wilma. 48 00:03:25,590 --> 00:03:27,620 Notice it's asking if we want to remember the password. 49 00:03:27,650 --> 00:03:28,550 No, we don't. 50 00:03:29,150 --> 00:03:34,130 So when we run this, we're going to see that it needs the database set up. 51 00:03:34,130 --> 00:03:37,370 But that's OK because we have sent our login information. 52 00:03:37,370 --> 00:03:38,870 Switch back to Wireshark and press. 53 00:03:38,870 --> 00:03:39,380 Stop. 54 00:03:40,760 --> 00:03:46,430 So on a Windows team computer, we're stopping Wireshark now, all we need to do is, well, first, 55 00:03:46,430 --> 00:03:52,250 let's say this, these captured packets file save as so I'm just sniffing it at work. 56 00:03:52,250 --> 00:03:57,950 I see somebody logging in on a computer over someplace else that Windows seven computer someplace across 57 00:03:57,950 --> 00:04:02,180 the coffee shop or any place that doing security testing. 58 00:04:03,110 --> 00:04:11,420 I'm going to call this log in traffic because I think somebody logged in and we'll use the pickup in 59 00:04:11,690 --> 00:04:13,910 format press save. 60 00:04:15,410 --> 00:04:21,650 So we've got these packets that we can come back and look at later, but let's go ahead and go to edit 61 00:04:22,430 --> 00:04:23,420 find packet. 62 00:04:24,970 --> 00:04:29,020 And let's change this to string and see if we can find. 63 00:04:29,940 --> 00:04:38,980 Well, a lot of times on our website posts or Sin's a form to a server, it uses the post command or 64 00:04:38,980 --> 00:04:39,870 the post format. 65 00:04:39,880 --> 00:04:43,990 So let's see if we can find post and we may see a few down here. 66 00:04:43,990 --> 00:04:45,990 Look look at this one highlighted right here. 67 00:04:46,510 --> 00:04:53,080 There's a post from a ten point three dot for that must be one Windows seven computer to ten dot dot 68 00:04:53,080 --> 00:04:54,180 three to five. 69 00:04:54,190 --> 00:05:01,060 That is my utility, my and my utility Web site running on the splitter box. 70 00:05:01,060 --> 00:05:08,950 And notice it's an HTP post and it's trying to post a login so we could also search for log in as a 71 00:05:08,950 --> 00:05:09,490 string. 72 00:05:10,120 --> 00:05:13,230 But if you know how Web forms work, Post is a really good one. 73 00:05:13,630 --> 00:05:16,390 So if I click on this packet and if I double click. 74 00:05:17,460 --> 00:05:26,880 I'm going to see that it had an HTP form or HTML form, if I expand that, look at the information that 75 00:05:26,880 --> 00:05:33,440 went across this network, Fred, and a password of Willmar and attempted to log in. 76 00:05:33,830 --> 00:05:34,860 Wow. 77 00:05:34,860 --> 00:05:41,580 That should scare you if you ever log into a Web site that doesn't have HTP. 78 00:05:41,610 --> 00:05:47,160 And that little luck symbol lets you know that the site is secure, that it's encrypting that traffic 79 00:05:47,160 --> 00:05:52,980 before it sends it out, you need to know that you are sending usernames and passwords in plain text 80 00:05:52,980 --> 00:05:53,910 across a network. 81 00:05:54,180 --> 00:05:58,890 I'm on a completely different computer that just happens to be connected to the same network. 82 00:05:58,890 --> 00:06:01,930 And I can see Fred and Wilma as plain as day. 83 00:06:02,280 --> 00:06:09,000 So if those were my username and password for that remote server, my meds floatable server, I would 84 00:06:09,000 --> 00:06:12,480 have just given that out in plain text on the network. 85 00:06:12,480 --> 00:06:17,700 That's almost like putting a Post-it note on your monitor with a username and password for your favorite 86 00:06:17,700 --> 00:06:18,250 Web site. 87 00:06:18,870 --> 00:06:23,850 So let's look through this packet a little bit down below and see we can see the individual characters 88 00:06:23,850 --> 00:06:24,690 in that packet. 89 00:06:25,030 --> 00:06:29,640 And if you scroll down here, you can see password equals Wilma. 90 00:06:30,830 --> 00:06:38,270 It's all right there, password equals Wilma, so there's a whole lot of other digital information that 91 00:06:38,270 --> 00:06:40,640 was sent in this packet, you can see that. 92 00:06:41,760 --> 00:06:48,240 Tells the location of the form, tells what kind of information it accepts and a lot more, but the 93 00:06:48,240 --> 00:06:51,960 key word that we were looking for was our password. 94 00:06:52,410 --> 00:06:58,950 And we found that just by looking for information that had been posted to a Web server, you can also 95 00:06:59,010 --> 00:07:05,160 when you get good at using Wireshark, you can search for strings like Pass or Password or TWD and you 96 00:07:05,160 --> 00:07:06,780 will turn up a lot more like this. 97 00:07:06,780 --> 00:07:13,260 It just turns out that our very first form posting we captured just for a little bit that we didn't 98 00:07:13,260 --> 00:07:19,350 have to do very much searching because we captured Rudd is that user was clicking log in, then we stopped 99 00:07:19,350 --> 00:07:23,790 our capture, saved everything, and now we can surf through that packet. 100 00:07:23,850 --> 00:07:26,280 That individual packet was sent notice. 101 00:07:26,280 --> 00:07:30,150 There's a whole lot of packets that were sent and some even had posts in them. 102 00:07:31,080 --> 00:07:33,030 But we were lucky to turn up that post. 103 00:07:33,030 --> 00:07:37,470 Mutability going to attend at three point five pretty quickly. 104 00:07:38,250 --> 00:07:43,320 There's one more set of skills that we need to flex to understand why it's important to have good passwords 105 00:07:43,590 --> 00:07:47,190 and why it's important to protect those passwords with good security. 106 00:07:47,580 --> 00:07:49,090 And we'll see that in the next lesson. 107 00:07:49,090 --> 00:07:54,780 Then we'll do a wrap up and see some tips on how you can avoid having your passwords taken the way that 108 00:07:54,780 --> 00:07:57,120 we've shown in these lessons so far.